HSTS not fully applied



  • After enabling HTTP Strict Transport Security I find that a few URLs are not redirected, when I expected all requests (the address URL and all embedded/linked images/scripts/styles/frames) to be redirected to their HTTPS version.

    For example, after enabling STS for simplemachines.org and simplemachinesweb.com and their subdomains, there's still no green badge on their login page because while Vivaldi redirects most of the page's network requests as expected (e.g. http://media.simplemachinesweb.com/site/images/github2.png gets a "307 Internal Redirect" to https://media.simplemachinesweb.com/site/images/github2.png which loads fine), other requests are simply blocked as mixed-content (e.g. http://media.simplemachinesweb.com/smf/default/css/webkit.css, which does load OK directly from the address bar, again with a 307 to the HTTPS version, Non-Authoritative-Reason:HSTS, Upgrade-Insecure-Requests:1).

    Is this an issue in Chromium, or somehow with the website?



  • @Dantesoft said in HSTS not fully applied:

    simplemachines.org

    That is a problem with the website. Other browsers dont get SSL for subdomains, too.



  • @Gwen-Dragon said in HSTS not fully applied:

    That is a problem with the website. Other browsers dont get SSL for subdomains, too.

    I’m afraid I don’t get your point.

    Are you saying that the problem is with their webserver misbehaving on GET requests, or having misconfigured (sub)domains?
    (I agree that they should reference their resources with //media.simplemachinesweb.com/ instead of explicitly http://…)

    I don’t know how to control HSTS in other browsers, but when enabling it in Chrome I see the same thing when loading the login page:
    http://media.simplemachinesweb.com/smf/default/css/webkit.css doesn’t redirect automatically to https://media.simplemachinesweb.com/smf/default/css/webkit.css



  • @Dantesoft
    I try that HSTS ney-internals with:

    • Chromium 57
    • Vivaldi 1.8 (Chromium 57)
    • Vivaldi 1.7(Chromium 56)
    • Opera 43 (Chromium 56).

    I don't have Google Chrome anymore. So, I couldn't test with Chrome 56 & 57.

    Forcing HSTS:
    simplemachines.org just broken with mix contents icon show up. While simplemachines.com just give "Your connection is not private" page. If you check their site source, it http & https pointing randomly everywhere.

    Without forcing HSTS:
    simplemachines.org still broken with mix contents icon show up. While simplemachines.com just go http.

    My "Smart-HTTPS" & "KB SSL Enforcer" extensions don't detect those both sites designed to accept secure connections. Forcing them don't do any good.



  • Thanks for replicating the issue (let’s ignore simplemachines.com for now).

    I’ve also tried manually forcing HTTPS with the “HTTPS Everywhere” extension, and still couldn’t get any extra HTTP resource to redirect to HTTPS.

    I suspect there’s some STS bug in Chromium.


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.